Home / Companies / Semgrep / Blog / Post Details
Content Deep Dive

Forking Shai-Hulud: RedHat npm Packages Are The Next Victim After GitHub Actions Compromise and Worm

Blog post from Semgrep

Post Details
Company
Date Published
Author
Katie Paxton-Fear
Word Count
633
Company Posts That Month
10
Language
English
Hacker News Points
-
Post removed?
No
Summary

RedHat recently fell victim to an npm worm attack that compromised numerous packages in the @redhat-cloud-services npm organization, replacing the Dune theme with Greek Mythology elements, and is suspected to be a variant of the Mini Shai-Hulud malware. This attack utilizes multi-stage credential harvesters that activate through preinstall hooks during npm installations, targeting secrets from various platforms including GitHub Actions, AWS, GCP, Azure, Kubernetes, and more. The breach was facilitated by compromised GitHub Actions OIDC tokens, and the malicious packages were distributed through the RedHatInsights/javascript-clients repository. The worm, which modifies its approach to seek more cloud environment credentials, exfiltrates data by reading directly from GitHub Actions Runner’s memory and collecting various credentials, such as AWS and Azure tokens, npm publish tokens, and .env files, potentially impacting CI/CD environments significantly.

Trends Found in this Post
Trend Post Mentions Total Month Mentions Posts Companies MoM
MCP 6 7,418 806 202 +5%
Secrets Management 5 2,464 377 128 +14%
Kubernetes 3 2,147 317 104 +9%
Use This Data

Use this post, company, and trend context to find content marketing opportunities, perform competitive analysis, or address product feature gaps via the Plushcap MCP server or the Plushcap API.